Modeling Large S-box in MILP and a (Related-Key) Differential Attack on Full Round PIPO-64/128

Abstract

The differential characteristic search problem is converted into mixed integer linear programming (MILP) model to get the bound against differential attack. The difference distribution table is used to write the linear inequalities for MILP modeling of S-box. To construct a reduced set of such inequalities, we present the approaches based on Quine-McCluskey(QM) and Espresso algorithms that are used for active S-box minimization and probability optimization respectively. These approaches are used to search the differential characteristics for lightweight block cipher PIPO-64/128. There are 20621 inequalities in 23 variables corresponding to possible difference transitions in the DDT and these are minimized to 6035 inequalities. MILP model based on these inequalities is used to optimize the probability of differential and impossible differential characteristics for PIPO-64/128 reduced to 9 and 4 rounds respectively. We construct an iterative 2-round related-key differential characteristic with the probability of \(2^{-4}\) and that is used to present a full round related-key differential distinguisher with the probability of \(2^{-24}\). We develop a key recovery attack using related keys on full round PIPO-64/128 with the data complexity of \(2^{32}\). We present a major collision in PIPO-64/128 which produces the same ciphertext (C) by encrypting the plaintext (P) under two different keys.

Appendix

1.1 A \(C = E(P,K) = E(P,K^{'})\) where \(K^{'} = K \oplus \varDelta K\) K = 0x6DC416DD779428D27E1D20AD2E152297 \(\varDelta K\) = 0x00400008010010000020000020000000

No.	Plaintext (P)	Ciphertext (C)
1	0xFFEAF697D7FCE742	0xCDE57DF09ECF4F7D
2	0xFCFFE1E57B3EE1B0	0x964DFE673B256413
3	0xFE9DAF4B7CDF3C62	0x5A204F91F5B3BEE2
4	0xBFE622F4EDF3FF2A	0x2C41558C8D728AD0
5	0xE7FFA8E4E8F95AF5	0xEB10BDFF059CF6A0
6	0xBDFDE7BAFFF6E73E	0x009AEE178347B174
7	0x7FFB2EFE657B19E7	0xD387F51CC4D0755A
8	0x2FF9393C75FB73F1	0x46B43D51ABE5146D
9	0x6EFE60A8EFFF5F2F	0x4F687CEC564569ED
10	0xF8EFFEB4EFFC9A70	0x923B7FDBAE0812CC
11	0xFD976646A1A3B40C	0xC433269EE6751443
12	0x6FF431B77B748CB5	0x5041B64C120B2673
13	0xE3EBED217F6FEB3F	0x56072F13AA0DB152
14	0xE35BF593EB9D32F0	0x1046EFDED93A860F
15	0xFFF76DCC8F77FA1B	0x73D7C7FFE4A78EF6
16	0x77FF282B3F7F8121	0xAD7D75F547410892
17	0x3E6FAB372BFB5F23	0x17C097CDE69D86BA
18	0xEFFABDB4F6F7032E	0x98731593F9EFC0D7
19	0x75926BBA4F77726F	0xDF4974E78B9FEC13
20	0xEBE465797D6BAD63	0x7432FC827038315B

1.2 B MILES: MInimized Linear inEqualities for Large S-Boxes

We present expresso based tool MILES to generate the linear inequalities for larges S-boxes and this tool is based on the Espresso algorithm [12]. The S-box is given as an input to the tool and it outputs a minimized set of linear inequalities that is required to model the MILP problem. MILES is the first tool that uses the full DDT of 8-bit S-box to generate the linear inequalities. In MILES, there are four processes which are applied sequentially to generate the minimized linear inequalities. These process are described as follows:

1. 1.

   DDT generation. In this process, MILES takes m-bit S-box (m\(\ge \)3) as input and generates a DDT of the S-box. The DDT (\(2^m\times 2^m\)) is 2-Dimensional array where row indices (y-axis) define input difference while column indices (x-axis) define the output difference. We define a function \(f_{i,j}\) to represent the DDT of S-box which provides the number of occurrences of output difference \(\varDelta _j\) corresponding to input difference \(\varDelta _i\) (Eq. 1).

   $$\begin{aligned} f_{i,j}= Frequency_{\varDelta _i \rightarrow \varDelta _j} \text {where} \text { } 0 \le i,j \le m \end{aligned}$$

   (4)

   This DDT is used as an input in the next process.

2. 2.

   DDT to truth table conversion. In this process, the input DDT is converted into a truth table. This truth table specifies the input and output points of the DDT as input variables. To simplify it, we specify only non-zero entries of the DDT and corresponding output variable as 1. MILES can generate three kinds of truth tables (\(\star \)-TT,p-TT,f-TT) from the DDT. The \(\star \)-TT table corresponds to the non-zero entries in the DDT and p-TT corresponds to the non-zero entries in DDT for a specific probability (p). The f-TT table corresponds to the non-zero entries with extra input variable for each probability.

3. 3.

   Truth table minimization. MILES interfaces with Espresso to perform minimization of the truth table. The output of minimization is TT\(_{min}\) which is used to generate the minimized linear inequalities. The TT\(_{min}\) is similar to the truth table and it contains an additional symbol (‘−’). The output variable in TT\(_{min}\) is independent of input variable corresponding to this additional symbol. The minimization process can be performed with various modes available in Espresso algorithm. These options are chosen in MILES as minimization strategy. These strategies are problem specific and a particular strategy may not provide best solution for all problems. The minimized truth tables corresponding to \(\star \)-TT, p-TT, and f-TT are represented as \(\star \)-TT\(_{min}\), p-TT\(_{min}\), and f-TT\(_{min}\) respectively.

4. 4.

   Linear inequalities generation. After minimization process, MILES generate the linear inequalities. Each linear inequality corresponds to one entry in TT\(_{min}\). If a value in the entry is 0 then it is expressed as variable x and if it is 1 then it is expressed as \(1-x\). The value ‘−’ in the TT\(_{min}\) does not contribute in the inequality generation process.

1.3 C Example: Linear Inequalities Generation using MILES

We describe the process to generate the linear inequalities for a 3-bit S-box (Table 12). The DDT (Table 13), f-TT (Table 14), and f-TT\(_{min}\) (Table 15) are generated using MILES. The set of minimized linear inequalities for this S-box is given in Table 16.

Table 12. 3-bit S-box

Table 13. DDT of S-box

Table 14. f-TT of DDT

Table 15. f-TT\(_{min}\) for f-TT

Table 16. Linear inequalities generated from f-TT\(_{min}\)